[SERVER-45050] Change Windows Kerberos client to use default credentials when no password is specified - MongoDB Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Major - P3
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 4.2.3, 4.0.18, 3.6 Required
Component/s: None
Labels:
None

Backwards Compatibility:
Fully Compatible
Operating System:
ALL
Backport Requested:

v4.2, v4.0, v3.6
Sprint:
Security 2019-12-30
Case:

Description

The Windows Kerberos client calls AcquireCredentialsHandle with a populated SEC_WINNT_AUTH_IDENTITY even when the user provides no password. In some customer setups, AcquireCredentialsHandle returns SEC_E_NO_CREDENTIALS as a result because the mongo client is asking for Windows to return something other then the default credentials.

While I cannot repro this issue locally, we have confirmed with the customers that if AcquireCredentialsHandle is called without SEC_WINNT_AUTH_IDENTITY, then clients can successfully connect. Both a patched shell and the node.js driver can successfully connect in these cases.

The fix is to not pass SEC_WINNT_AUTH_IDENTITY to AcquireCredentialsHandle unless the user specifies a password.

Attachments

Issue Links

is related to

DRIVERS-2180 Kerberos on Windows should not pass username to SSPI when password is not set

Implementing

Activity

People

Assignee:: Mark Benvenuto

Reporter:: Mark Benvenuto

Participants:: Githook User, Mark Benvenuto

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: Dec 10 2019 10:53:51 PM UTC

Updated:: Jan 31 2022 04:41:26 PM UTC

Resolved:: Dec 12 2019 06:27:38 PM UTC